Here in the Midwest US, we have a saying about March, “In like a lion, out like a lamb.” This is in reference to the month starting with strong winter weather and letting off as the month progresses. In fact, we just had a blizzard that dropped 9-12 inches of snow across most of the region overnight, but a week later I see grass and sunny skies and have shed the winter coat!

At first glance, March Patch Tuesday looks like a lamb, but this lamb might have the teeth of a lion. The standard lineup of updates resolves 57 CVEs across the Windows OS, Office, .Net and Visual Studio, with a couple of Azure component updates in the mix. Google Chrome updated in the lead up to Patch Tuesday (March 10 update), and Adobe released seven updates, including Adobe Acrobat and Acrobat Reader.

Now let’s talk teeth. There are seven known exploited CVEs for the March lineup.

  • Microsoft resolved six known exploited CVEs. The zero-day exploits affect the Microsoft Management Console, NTFS, Fast FAT, and the Win32 Kernel Subsystem. All six exploits are rated Important with CVSS scores ranging from 4.6 to 7.8. The good news is all six are resolved by the March Windows OS update, so the majority of the immediate risk is resolved by that one update.
  • Google resolved one known exploited CVE (CVE-2025-24201), which according to the release notes from Google is an out of bounds write-in GPU on Mac reported by the Apple Security Engineering and Architecture (SEAR) team – so likely only a concern for Mac users. (Based on Microsoft’s release notes, it looks like Edge has not resolved the five CVEs in the March 10 release.)

Microsoft exploited vulnerabilities

Microsoft has resolved a Security Feature Bypass in Microsoft Management Console (CVE-2025-26633). The vulnerability is rated Important and has a CVSSv3.1 score of 7.0. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. An attacker would need to take additional actions to prepare the target environment for exploitation, but the vulnerability allows for a variety of user-targeted tactics to exploit, including instant message, email and web-based attacks scenarios. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved a Remote Code Execution vulnerability in Windows NTFS (CVE-2025-24993). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved an Information Disclosure vulnerability in Windows NTFS (CVE-2025-24991). The vulnerability is rated Important and has a CVSSv3.1 score of 5.5. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved a Remote Code Execution vulnerability in Windows Fast FAT File System Driver (CVE-2025-24985). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved an Information Disclosure in Windows NTFS (CVE-2025-24984). The vulnerability is rated Important and has a CVSSv3.1 score of 4.6. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Win32 Kernel Subsystem (CVE-2025-24983). The vulnerability is rated Important and has a CVSSv3.1 score of 7.0. The vulnerability affects older Windows editions including Windows 10 and Server 2008 to Server 2016. Microsoft has confirmed that this CVE is exploited in the wild. If exploited, the attacker could gain SYSTEM-level privileges. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in Microsoft Access (CVE-2025-26630). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects Microsoft Access 2016, Office 2019, Office LTSC 2021 and 2024, and Microsoft 365 Apps for Enterprise. Microsoft has confirmed that this CVE has been publicly disclosed, but the code maturity is set to be unproven. The disclosure could provide attackers with some additional information to formulate an exploit, but the lack of code samples will increase their efforts. Risk-based prioritization would indicate a slightly higher risk for a disclosure without functional code, but not enough to bump this CVE up to Critical.

Third-party vulnerabilities 

  • Google Chrome released updates on March 10 resolving five CVEs, including one known exploited CVE (CVE-2025-24201). The exploit is documented as an out of bounds write-in GPU on Mac. The priority is higher for macOS than Windows for this update.
  • Adobe released seven updates resolving 37 CVEs. The updates affect Adobe Acrobat and Reader, Illustrator, InDesign, Substance 3D Sampler, Painter, Modeler and Designer. All seven updates are rated priority three and can be handled in the course of your monthly update activities.

Ivanti security advisory

Ivanti has released two updates for the March Patch Tuesday resolving a total of two CVEs. The affected products are Ivanti Secure Access Client (ISAC) and Ivanti Neurons for MDM (N-MDM). For more details you can view the updates and information provided in the March Security Update on the Ivanti blog.

March update priorities

  • The Windows OS update is the top priority update this month resolving six known exploited CVEs.
  • The March 10 Google Chrome update resolves one known exploited vulnerability on macOS, making the macOS Chrome update a priority.